Certified Information Privacy Professional (CIPP) Practice Questions 2026 – All-in-One Guide to Exam Success!

The correct answer highlights the obligation to notify victims, the Department of Health and Human Services (HHS), and local media within 60 days of a data breach affecting 800 individuals. This requirement stems from the Health Insurance Portability and Accountability Act (HIPAA) and its corresponding breach notification rules.

When a breach occurs that affects 500 or more individuals, covered entities must notify not only the affected individuals but also the media and HHS. The requirement for local media notification is specifically mandated for substantial breaches to ensure public awareness and facilitate additional protective measures for the community. The timeframe of 60 days is the standard established to ensure timely communication and transparency.

Other choices do not completely address the necessary requirements for a breach of this magnitude. For instance, while notifying victims is crucial, merely notifying them, or incorporating the notification into the annual privacy notice, fails to meet the comprehensive obligations outlined by HIPAA. Additionally, the requirement to notify just HHS without including media could downplay the potential impacts of the breach on the public, which is why option D is the most complete and accurate answer.